MySQL is one of the widely used DBMS software commonly used in web applications. Recently, security researcher Mr Sergei Golubchik had reported serious security issues in MariaDB and MySQL DBMS software. According to them, All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 and MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not vulnerable. According to him the issue is when a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. He says that if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.Any client will do, there’s no need for a special libmysqlclient library.
The best way in which administrators can defend themselves against such flaws is by not exposing the MySQL server to the network, unless it’s necessary.The vulnerability has been assigned the CVE-2012-2122 id and patches have been released to mitigate the risks. It has been added to the Metasploit framework (more here from them).
